Contents x
    Microsoft Defender
    • 24 Apr 2025
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Contents

    Microsoft Defender

    • Updated on 24 Apr 2025
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Article summary

    Overview

    LimaCharlie can ingest Microsoft 365 Defender logs via three methods Azure Event Hub Adapter, the Microsoft Defender API, or a Custom Webhook

    Documentation for creating an event hub can be found here here.

    Telemetry Platform: msdefender

    Deployment Configurations

    All adapters support the same client_options, which you should always specify if using the binary adapter or creating a webhook adapter. If you use any of the Adapter helpers in the web app, you will not need to specify these values.

    • client_options.identity.oid: the LimaCharlie Organization ID (OID) this adapter is used with.
    • client_options.identity.installation_key: the LimaCharlie Installation Key this adapter should use to identify with LimaCharlie.
    • client_options.platform: the type of data ingested through this adapter, like text, json, gcp, carbon_black, etc.
    • client_options.sensor_seed_key: an arbitrary name for this adapter which Sensor IDs (SID) are generated from, see below.

    Adapter-specific Options

    • connection_string - The connection string provided in Azure for connecting to the Azure Event Hub, including the EntityPath=... at the end which identifies the Hub Name (this component is sometimes now shown in the connection string provided by Azure).

    Guided Deployment

    In the LimaCharlie web app, you can find a Microsoft Defender helper for connecting to an existing Azure Event Hub and ingesting Microsoft Defender logs.

    Collecting Microsoft Defender Logs via a Binary Adapter

    The following example configuration ingests Microsoft Defender logs from an Azure Event Hub to LimaCharlie.

    ./lc_adapter azure_event_hub client_options.identity.installation_key=<INSTALLATION_KEY> client_options.identity.oid=<OID> client_options.platform=msdefender client_options.sensor_seed_key=<SENSOR_SEED_KEY> client_options.hostname=msdefender "connection_string=Endpoint=sb://mynamespace.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=fnaaaaaaaaaaaaaaak0g54alYbbbbbbbbbbbbbbbALQ=;EntityPath=lc-stream"

    Was this article helpful?
    Related articles
    What's Next